Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Another Winfixer Issue

Started by elizs77 , Dec 13 2005 07:06 PM

  • Please log in to reply

#1
elizs77
Posted 13 December 2005 - 07:06 PM

elizs77

    New Member

  • Member
  • Pip
  • 3 posts
I have been having the Winfixer and related pop-unders for a few days now, and it is an annoyance and has slowed down my computer. I have run Cleanup, AdAware SE, Spy Box, Panda and Trojan Hunter.

Below I have posted both Hijackthis and ewido scan logs:

HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 7:34:01 PM, on 12/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 5.0\Acrobat\Acrobat.exe
C:\Program Files\Common Files\Adobe\Web\AOM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
O1 - Hosts: 65.207.120.253 www.visatrax.com
O1 - Hosts: 172.17.4.12 www.ogletree.com
O1 - Hosts: 172.17.4.13 extranet
O1 - Hosts: 172.17.4.13 my.odnss.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ATLDistrib Object - {7A1A109F-58B3-414B-9829-5F4D9BE5FEDE} - C:\WINDOWS\system32\sstts.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: LexLink IE ToolBar - {CBAA6F21-985C-11D4-A02B-00B0D073E889} - C:\Program Files\LexisNexis\CheckCite\llieobj.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O15 - Trusted Zone: http://installs.odnss.com
O15 - Trusted Zone: http://www.visatrax.com
O16 - DPF: {05CE4481-8015-11D3-9811-C4DA9F000000} - http://www.topmoxie....mise_moxie0.cab
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} - http://survey.otxres...m/Preloader.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {2CFAA5B7-41EF-11D4-8B61-0040053D2608} (ogsDynaTree.ogsDynaTreeCtrl) - https://www.visatrax...ogsDynaTree.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....23/cpbrkpie.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = odnss.com
O17 - HKLM\Software\..\Telephony: DomainName = odnss.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = odnss.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = odnss.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = odnss.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = odnss.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = odnss.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: sstts - C:\WINDOWS\system32\sstts.dll
O23 - Service: McAfee Alert Manager (AlertManager) - McAfee Division of Network Associates, Inc. - C:\Program Files\Network Associates\Alert Manager\amgrsrvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\WinVNC.exe" -service (file missing)



ewido Log:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:06:37 PM, 12/13/2005
+ Report-Checksum: 46EE2E56

+ Scan result:

HKLM\SOFTWARE\Classes\Interface\{83654581-4333-11D5-B0DF-0050DAC24E8F} -> Spyware.iWon : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{83654582-4333-11D5-B0DF-0050DAC24E8F} -> Spyware.iWon : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{83654583-4333-11D5-B0DF-0050DAC24E8F} -> Spyware.iWon : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{83654584-4333-11D5-B0DF-0050DAC24E8F} -> Spyware.iWon : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{83654585-4333-11D5-B0DF-0050DAC24E8F} -> Spyware.iWon : Cleaned with backup
HKLM\SOFTWARE\Classes\IWonToolbar.iWonNetscapeShutdown -> Spyware.iWon : Cleaned with backup
HKLM\SOFTWARE\Classes\IWonToolbar.iWonNetscapeShutdown\CLSID -> Spyware.iWon : Cleaned with backup
HKLM\SOFTWARE\Classes\IWonToolbar.iWonNetscapeShutdown\CurVer -> Spyware.iWon : Cleaned with backup
HKLM\SOFTWARE\Classes\IWonToolbar.iWonNetscapeShutdown.1 -> Spyware.iWon : Cleaned with backup
HKLM\SOFTWARE\Classes\IWonToolbar.iWonNetscapeStartup -> Spyware.iWon : Cleaned with backup
HKLM\SOFTWARE\Classes\IWonToolbar.iWonNetscapeStartup\CLSID -> Spyware.iWon : Cleaned with backup
HKLM\SOFTWARE\Classes\IWonToolbar.iWonNetscapeStartup\CurVer -> Spyware.iWon : Cleaned with backup
HKLM\SOFTWARE\Classes\IWonToolbar.iWonNetscapeStartup.1 -> Spyware.iWon : Cleaned with backup
HKLM\SOFTWARE\iWon -> Spyware.iWon : Cleaned with backup
HKLM\SOFTWARE\iWon\iWonBar -> Spyware.iWon : Cleaned with backup
HKLM\SOFTWARE\iWon\iWonSlots -> Spyware.iWon : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{05CE4481-8015-11D3-9811-C4DA9F000000} -> Spyware.WebRebates : Cleaned with backup
HKU\S-1-5-21-4070995279-1694720459-516276246-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{556DDE35-E955-11D0-A707-000000521958} -> Spyware.IEPlugin : Cleaned with backup
C:\Documents and Settings\Default User\Cookies\administrator@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Default User\Cookies\administrator@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Default User\Cookies\administrator@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Default User\Cookies\administrator@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Default User\Cookies\[email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\ha!!15k31v1n\Cookies\administrator@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\ha!!15k31v1n\Cookies\administrator@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\SchaafEH\Cookies\schaafeh@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\SchaafEH\Cookies\[email protected][2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\SchaafEH\Cookies\[email protected][2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\SchaafEH\Cookies\[email protected][2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\SchaafEH\Cookies\[email protected][1].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\SchaafEH\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\SchaafEH\Cookies\schaafeh@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\SchaafEH\Cookies\[email protected][2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\SchaafEH\Cookies\schaafeh@questionmarket[2].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\SchaafEH\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\SchaafEH\Local Settings\Temp\Cookies\schaafeh@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\SchaafEH\Local Settings\Temp\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\SchaafEH\Local Settings\Temp\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-113007714-725345543-500\Dc14\Cookies\administrator@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-113007714-725345543-500\Dc14\Cookies\administrator@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-113007714-725345543-500\Dc14\Cookies\administrator@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-113007714-725345543-500\Dc14\Cookies\administrator@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-113007714-725345543-500\Dc14\Cookies\[email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\WINDOWS\cpbrkpie.ocx -> Spyware.Coupon : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Cookies\administrator@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Cookies\administrator@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
D:\quarantine\Dd6.Vir.Vir -> Spyware.HelpExpress : Cleaned with backup
D:\quarantine\Dd7.Vir.Vir -> Spyware.HelpExpress : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/c://windows/downloaded program files/preloader.dll -> Downloader.OTXloader : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/schaafeh@spinbox[1].txt -> Spyware.Cookie.Spinbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/schaafeh@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/schaafeh@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/schaafeh@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/schaafeh@commission-junction[1].txt -> Spyware.Cookie.Commission-junction : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][2].txt -> Spyware.Cookie.Adserver : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/schaafeh@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/administrator@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/schaafeh@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/schaafeh@valueclick[3].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/schaafeh@estat[1].txt -> Spyware.Cookie.Estat : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/schaafeh@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/schaafeh@qksrv[1].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/schaafeh@bfast[1].txt -> Spyware.Cookie.Bfast : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/schaafeh@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/schaafeh@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/schaafeh@clickagents[1].txt -> Spyware.Cookie.Clickagents : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/administrator@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/schaafeh@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/administrator@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][1].txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/schaafeh@linksynergy[1].txt -> Spyware.Cookie.Linksynergy : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/administrator@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/schaafeh@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/schaafeh@trafic[2].txt -> Spyware.Cookie.Trafic : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][1].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/schaafeh@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][1].txt -> Spyware.Cookie.Counted : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/schaafeh@valueclick[2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][2].txt -> Spyware.Cookie.Onestat : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][2].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/schaafeh@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/schaafeh@statcounter[2].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][1].txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][1].txt -> Spyware.Cookie.Hitslink : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][2].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][1].txt -> Spyware.Cookie.Realtracker : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/schaafeh@hotlog[1].txt -> Spyware.Cookie.Hotlog : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/schaafeh@targetnet[1].txt -> Spyware.Cookie.Targetnet : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/schaafeh@pro-market[1].txt -> Spyware.Cookie.Pro-market : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][2].txt -> Spyware.Cookie.Hitslink : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/schaafeh@adtech[2].txt -> Spyware.Cookie.Adtech : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][1].txt -> Spyware.Cookie.Overture : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/schaafeh@valuead[2].txt -> Spyware.Cookie.Valuead : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/schaafeh@weborama[2].txt -> Spyware.Cookie.Weborama : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][2].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][1].txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][1].txt -> Spyware.Cookie.Valuead : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][1].txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/schaafeh@adviva[2].txt -> Spyware.Cookie.Adviva : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][1].txt -> Spyware.Cookie.Casinotropez : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/[email protected][1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/Default User/Cookies/administrator@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/Default User/Cookies/administrator@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/Default User/Cookies/administrator@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/Default User/Cookies/administrator@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/Default User/Cookies/[email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/ha!!15k31v1n/Cookies/administrator@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/ha!!15k31v1n/Cookies/administrator@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/ha!!15k31v1n/Cookies/administrator@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/ha!!15k31v1n/Cookies/administrator@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/ha!!15k31v1n/Cookies/[email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Local Settings/Temp/Cookies/schaafeh@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Local Settings/Temp/Cookies/[email protected][1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Local Settings/Temp/Cookies/[email protected][1].txt -> Spyware.Cookie.Specificpop : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Local Settings/Temp/Cookies/schaafeh@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Local Settings/Temp/Cookies/schaafeh@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Local Settings/Temp/Cookies/schaafeh@bfast[2].txt -> Spyware.Cookie.Bfast : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Local Settings/Temp/Cookies/schaafeh@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Local Settings/Temp/Cookies/schaafeh@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Local Settings/Temp/Cookies/schaafeh@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Local Settings/Temp/Cookies/[email protected][2].txt -> Spyware.Cookie.Hitslink : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Local Settings/Temp/Cookies/schaafeh@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Local Settings/Temp/Cookies/[email protected][2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Local Settings/Temp/Cookies/[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Local Settings/Temp/Cookies/[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Local Settings/Temp/Cookies/[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Local Settings/Temp/Cookies/[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Local Settings/Temp/Cookies/[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Local Settings/Temp/Cookies/schaafeh@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Local Settings/Temp/Cookies/schaafeh@gator[1].txt -> Spyware.Cookie.Gator : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Local Settings/Temp/Cookies/schaafeh@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Local Settings/Temp/Cookies/schaafeh@linksynergy[2].txt -> Spyware.Cookie.Linksynergy : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Local Settings/Temp/Cookies/schaafeh@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Local Settings/Temp/Cookies/schaafeh@questionmarket[2].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Local Settings/Temp/Cookies/[email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Local Settings/Temp/Cookies/schaafeh@specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Local Settings/Temp/Cookies/schaafeh@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Local Settings/Temp/Cookies/schaafeh@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Local Settings/Temp/Cookies/[email protected][1].txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Local Settings/Temp/Cookies/schaafeh@valueclick[2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/Documents and Settings/SchaafEH/Local Settings/Temp/Cookies/[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/RECYCLER/S-1-5-21-1177238915-113007714-725345543-500/Dc14/Cookies/administrator@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/RECYCLER/S-1-5-21-1177238915-113007714-725345543-500/Dc14/Cookies/administrator@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/RECYCLER/S-1-5-21-1177238915-113007714-725345543-500/Dc14/Cookies/administrator@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/RECYCLER/S-1-5-21-1177238915-113007714-725345543-500/Dc14/Cookies/administrator@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/RECYCLER/S-1-5-21-1177238915-113007714-725345543-500/Dc14/Cookies/[email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/WINDOWS/Downloaded Program Files/Preloader.dll -> Downloader.OTXloader : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/WINDOWS/system32/config/systemprofile/Cookies/administrator@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/WINDOWS/system32/config/systemprofile/Cookies/administrator@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/WINDOWS/system32/config/systemprofile/Cookies/administrator@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/WINDOWS/system32/config/systemprofile/Cookies/administrator@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/C:/WINDOWS/system32/config/systemprofile/Cookies/[email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/D:/quarantine/UpromiseRemindU.exe.Vir -> Spyware.HelpExpress : Cleaned with backup
D:\quarantine\Dd8.Vir.Vir/D:/quarantine/UpromiseRemindU.exe.Vir.0 -> Spyware.HelpExpress : Cleaned with backup
D:\quarantine\Dd9.Vir.Vir/C:/Documents and Settings/Default User/Cookies/administrator@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
D:\quarantine\Dd9.Vir.Vir/C:/Documents and Settings/Default User/Cookies/administrator@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
D:\quarantine\Dd9.Vir.Vir/C:/Documents and Settings/Default User/Cookies/administrator@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
D:\quarantine\Dd9.Vir.Vir/C:/Documents and Settings/Default User/Cookies/administrator@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
D:\quarantine\Dd9.Vir.Vir/C:/Documents and Settings/Default User/Cookies/[email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
D:\quarantine\Dd9.Vir.Vir/C:/Documents and Settings/ha!!15k31v1n/Cookies/administrator@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
D:\quarantine\Dd9.Vir.Vir/C:/Documents and Settings/ha!!15k31v1n/Cookies/administrator@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
D:\quarantine\Dd9.Vir.Vir/C:/Documents and Settings/ha!!15k31v1n/Cookies/administrator@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
D:\quarantine\Dd9.Vir.Vir/C:/Documents and Settings/ha!!15k31v1n/Cookies/administrator@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
D:\quarantine\Dd9.Vir.Vir/C:/Documents and Settings/ha!!15k31v1n/Cookies/[email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
D:\quarantine\Dd9.Vir.Vir/C:/RECYCLER/S-1-5-21-1177238915-113007714-725345543-500/Dc14/Cookies/administrator@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
D:\quarantine\Dd9.Vir.Vir/C:/RECYCLER/S-1-5-21-1177238915-113007714-725345543-500/Dc14/Cookies/administrator@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
D:\quarantine\Dd9.Vir.Vir/C:/RECYCLER/S-1-5-21-1177238915-113007714-725345543-500/Dc14/Cookies/administrator@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
D:\quarantine\Dd9.Vir.Vir/C:/RECYCLER/S-1-5-21-1177238915-113007714-725345543-500/Dc14/Cookies/administrator@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
D:\quarantine\Dd9.Vir.Vir/C:/RECYCLER/S-1-5-21-1177238915-113007714-725345543-500/Dc14/Cookies/[email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
D:\quarantine\Dd9.Vir.Vir/C:/WINDOWS/system32/config/systemprofile/Cookies/administrator@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
D:\quarantine\Dd9.Vir.Vir/C:/WINDOWS/system32/config/systemprofile/Cookies/administrator@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
D:\quarantine\Dd9.Vir.Vir/C:/WINDOWS/system32/config/systemprofile/Cookies/administrator@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
D:\quarantine\Dd9.Vir.Vir/C:/WINDOWS/system32/config/systemprofile/Cookies/administrator@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
D:\quarantine\Dd9.Vir.Vir/C:/WINDOWS/system32/config/systemprofile/Cookies/[email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
D:\quarantine\Dd9.Vir.Vir/D:/quarantine/UpromiseRemindU.exe.Vir -> Spyware.HelpExpress : Cleaned with backup
D:\quarantine\Dd9.Vir.Vir/D:/quarantine/UpromiseRemindU.exe.Vir.0 -> Spyware.HelpExpress : Cleaned with backup
D:\quarantine\Dd10.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/schaafeh@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
D:\quarantine\Dd10.Vir.Vir/C:/Documents and Settings/SchaafEH/Cookies/schaafeh@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
D:\quarantine\Dd10.Vir.Vir/C:/Documents and Settings/Default User/Cookies/administrator@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
D:\quarantine\Dd10.Vir.Vir/C:/Documents and Settings/Default User/Cookies/administrator@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
D:\quarantine\Dd10.Vir.Vir/C:/Documents and Settings/Default User/Cookies/administrator@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
D:\quarantine\Dd10.Vir.Vir/C:/Documents and Settings/Default User/Cookies/administrator@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
D:\quarantine\Dd10.Vir.Vir/C:/Documents and Settings/Default User/Cookies/[email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
D:\quarantine\Dd10.Vir.Vir/C:/Documents and Settings/ha!!15k31v1n/Cookies/administrator@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
D:\quarantine\Dd10.Vir.Vir/C:/Documents and Settings/ha!!15k31v1n/Cookies/administrator@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
D:\quarantine\Dd10.Vir.Vir/C:/Documents and Settings/ha!!15k31v1n/Cookies/administrator@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
D:\quarantine\Dd10.Vir.Vir/C:/Documents and Settings/ha!!15k31v1n/Cookies/administrator@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
D:\quarantine\Dd10.Vir.Vir/C:/Documents and Settings/ha!!15k31v1n/Cookies/[email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
D:\quarantine\Dd10.Vir.Vir/C:/RECYCLER/S-1-5-21-1177238915-113007714-725345543-500/Dc14/Cookies/administrator@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
D:\quarantine\Dd10.Vir.Vir/C:/RECYCLER/S-1-5-21-1177238915-113007714-725345543-500/Dc14/Cookies/administrator@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
D:\quarantine\Dd10.Vir.Vir/C:/RECYCLER/S-1-5-21-1177238915-113007714-725345543-500/Dc14/Cookies/administrator@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
D:\quarantine\Dd10.Vir.Vir/C:/RECYCLER/S-1-5-21-1177238915-113007714-725345543-500/Dc14/Cookies/administrator@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
D:\quarantine\Dd10.Vir.Vir/C:/RECYCLER/S-1-5-21-1177238915-113007714-725345543-500/Dc14/Cookies/[email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
D:\quarantine\Dd10.Vir.Vir/C:/WINDOWS/system32/config/systemprofile/Cookies/administrator@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
D:\quarantine\Dd10.Vir.Vir/C:/WINDOWS/system32/config/systemprofile/Cookies/administrator@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
D:\quarantine\Dd10.Vir.Vir/C:/WINDOWS/system32/config/systemprofile/Cookies/administrator@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
D:\quarantine\Dd10.Vir.Vir/C:/WINDOWS/system32/config/systemprofile/Cookies/administrator@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
D:\quarantine\Dd10.Vir.Vir/C:/WINDOWS/system32/config/systemprofile/Cookies/[email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
D:\quarantine\Dd10.Vir.Vir/D:/quarantine/UpromiseRemindU.exe.Vir -> Spyware.HelpExpress : Cleaned with backup
D:\quarantine\Dd10.Vir.Vir/D:/quarantine/UpromiseRemindU.exe.Vir.0 -> Spyware.HelpExpress : Cleaned with backup
D:\quarantine\Clean Session - 1134499534.ssb.Vir/D:\quarantine\Dd6.Vir.Vir -> Spyware.HelpExpress : Cleaned with backup
D:\quarantine\Clean Session - 1134499534.ssb.Vir/D:\quarantine\Dd7.Vir.Vir -> Spyware.HelpExpress : Cleaned with backup
D:\quarantine\Clean Session - 1134499555.ssb.Vir/D:\quarantine\Dd6.Vir.Vir -> Spyware.HelpExpress : Cleaned with backup
D:\quarantine\Clean Session - 1134499555.ssb.Vir/D:\quarantine\Dd7.Vir.Vir -> Spyware.HelpExpress : Cleaned with backup
D:\quarantine\240754.Vir/C:/Documents and Settings/Default User/Cookies/administrator@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
D:\quarantine\240754.Vir/C:/Documents and Settings/Default User/Cookies/administrator@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
D:\quarantine\240754.Vir/C:/Documents and Settings/Default User/Cookies/administrator@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
D:\quarantine\240754.Vir/C:/Documents and Settings/Default User/Cookies/administrator@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
D:\quarantine\240754.Vir/C:/Documents and Settings/Default User/Cookies/[email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
D:\quarantine\240754.Vir/C:/Documents and Settings/ha!!15k31v1n/Cookies/administrator@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
D:\quarantine\240754.Vir/C:/Documents and Settings/ha!!15k31v1n/Cookies/administrator@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
D:\quarantine\240754.Vir/C:/RECYCLER/S-1-5-21-1177238915-113007714-725345543-500/Dc14/Cookies/administrator@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
D:\quarantine\240754.Vir/C:/RECYCLER/S-1-5-21-1177238915-113007714-725345543-500/Dc14/Cookies/administrator@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
D:\quarantine\240754.Vir/C:/RECYCLER/S-1-5-21-1177238915-113007714-725345543-500/Dc14/Cookies/administrator@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
D:\quarantine\240754.Vir/C:/RECYCLER/S-1-5-21-1177238915-113007714-725345543-500/Dc14/Cookies/administrator@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
D:\quarantine\240754.Vir/C:/RECYCLER/S-1-5-21-1177238915-113007714-725345543-500/Dc14/Cookies/[email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
D:\quarantine\240754.Vir/C:/WINDOWS/system32/config/systemprofile/Cookies/administrator@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
D:\quarantine\240754.Vir/C:/WINDOWS/system32/config/systemprofile/Cookies/administrator@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
D:\quarantine\240754.Vir/D:/quarantine/Dd6.Vir.Vir -> Spyware.HelpExpress : Cleaned with backup
D:\quarantine\240754.Vir/D:/quarantine/Dd7.Vir.Vir -> Spyware.HelpExpress : Cleaned with backup


::Report End
  • 0

Advertisements

#2
rstones12
Posted 17 December 2005 - 05:34 PM

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
elizs77,

Welcome to the GTG Forums, I will be reviewing your HJT log.
Please read "ALL" of the instructions before proceeding:

You will need to print out these instructions for a reference or you can
save them by copying and pasting them into notepad and saving the text file to the desktop.

This process will take a few steps, please take your time and follow the directions in the order posted.
If you don't understand something, please ask before performing any task..


Please download VundoFix.exe and save it to your desktop.
  • Double-click VundoFix.exe to extract the files.
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in SafeMode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning. It should look like this:

    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....

  • At this point press enter one time.
  • Next you will see:

    Please Type in the filepath as instructed by the forum staff and then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\system32\sstts.dll
  • Press Enter to continue with the fix.
  • Next you will see:

    Please Type in the filepath as instructed by the forum staff and then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):

    • C:\WINDOWS\system32\sttss.*
  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a checkmark next to each of the following items and click FIX CHECKED:
O2 - BHO: ATLDistrib Object - {7A1A109F-58B3-414B-9829-5F4D9BE5FEDE} - C:\WINDOWS\system32\sstts.dll

O16 - DPF: {05CE4481-8015-11D3-9811-C4DA9F000000} - http://www.topmoxie....mise_moxie0.cab
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} - http://survey.otxres...m/Preloader.dll

O20 - Winlogon Notify: sstts - C:\WINDOWS\system32\sstts.dll

  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program then manually reboot your computer.
  • Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.

Thanks,
rstones12
  • 0

#3
elizs77
Posted 18 December 2005 - 12:48 PM

elizs77

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Thank you so much for your assistance with this.

I followed the instructions. However, I was not able to find the entry for the O16-DPF for Top Moxie when I did the fixing in Hijackthis.

ActiveScan Log:

Incident Status Location

Spyware:spyware/searchcentrix Not disinfected Windows Registry
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ssqpm.dll


Hijackthis Log:

Logfile of HijackThis v1.99.1
Scan saved at 1:46:12 PM, on 12/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
O1 - Hosts: 65.207.120.253 www.visatrax.com
O1 - Hosts: 172.17.4.12 www.ogletree.com
O1 - Hosts: 172.17.4.13 extranet
O1 - Hosts: 172.17.4.13 my.odnss.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: LexLink IE ToolBar - {CBAA6F21-985C-11D4-A02B-00B0D073E889} - C:\Program Files\LexisNexis\CheckCite\llieobj.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O15 - Trusted Zone: http://installs.odnss.com
O15 - Trusted Zone: http://www.visatrax.com
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {2CFAA5B7-41EF-11D4-8B61-0040053D2608} (ogsDynaTree.ogsDynaTreeCtrl) - https://www.visatrax...ogsDynaTree.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....23/cpbrkpie.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = odnss.com
O17 - HKLM\Software\..\Telephony: DomainName = odnss.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = odnss.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = odnss.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = odnss.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = odnss.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = odnss.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: McAfee Alert Manager (AlertManager) - McAfee Division of Network Associates, Inc. - C:\Program Files\Network Associates\Alert Manager\amgrsrvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\WinVNC.exe" -service (file missing)


Vundofix.txt file:

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\system32\sstts.dll

The second filepath entered was C:\WINDOWS\system32\stss.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 380 'smss.exe'

Killing PID 336 'explorer.exe'
Killing PID 336 'explorer.exe'


Killing PID 656 'winlogon.exe'
--------------------------------------------------------------------------------------

C:\WINDOWS\system32\sstts.dll Deleted sucessfully.
C:\WINDOWS\system32\stss.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------
  • 0

#4
rstones12
Posted 18 December 2005 - 11:25 PM

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
elizs77,

OK, we have a few more things to do.

Please read "ALL" of the instructions before proceeding:

Please download the KillBox by Option^Explicit and save it to your desktop.
Do Not use it yet, we will shortly.

Now open HijackThis and place a checkmark next to each of the following items:

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....23/cpbrkpie.cab

Now close all browsers and open windows except for HijackThis then click the Fix Checked button. Close HJT.
  • Now lets run KillBox.
  • Please double-click KillBox.exe to run it.
  • Select:
    • Delete on Reboot
  • In the field labeled Full Path of File to Delete enter the file path listed below.

    C:\WINDOWS\system32\ssqpm.dll

  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run KillBox, click here to download and run missingfilesetup.exe. Then try KillBox again.

Once you have rebooted back into NormalMode, please do the following:
  • Now launch Notepad and copy/paste everything in the codebox below into Notepad:

    dir %Systemdrive%\sttss.* /a h /s > files.txt
start notepad files.txt
cls
EXIT
  • Go to File Menu | Save As and click the drop down box Save As Type to All Files and then save it to your desktop as findthis.bat
  • Locate findthis.bat on your desktop and double-click on it.
  • This will perform a search for some files, when Notepad opens save that file to your desktop and submit that in your next post, it will take a short while so be patient.
Now do the following:

1. Go to Start > Control Panel.

2. Double-click the Java icon (coffee cup) in the control panel. It will say "Java Plug-in" under the icon - please find the update button or tab in that Java control panel. Update your Java, and reboot.

After reboot, go back into the Control Panel and double-click the Java icon.

3. Under Temporary Internet Files, click the Delete Files button.

There are three options on this window to clear the cache - leave ALL 3 checked:

1. Downloaded Applets
2. Downloaded Applications
3. Other Files

4. Click OK on Delete Temporary Files window.
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

5. Click OK to leave the Java Control Panel.

Now post back the results of the file search and a new HijackThis log by using Add Reply.

Thanks,
rstones12
  • 0

#5
elizs77
Posted 19 December 2005 - 05:31 PM

elizs77

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
I had a bit of trouble updating my Java, so I'm not sure if it did or not.

Hijack This:

Logfile of HijackThis v1.99.1
Scan saved at 6:28:43 PM, on 12/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
O1 - Hosts: 65.207.120.253 www.visatrax.com
O1 - Hosts: 172.17.4.12 www.ogletree.com
O1 - Hosts: 172.17.4.13 extranet
O1 - Hosts: 172.17.4.13 my.odnss.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: LexLink IE ToolBar - {CBAA6F21-985C-11D4-A02B-00B0D073E889} - C:\Program Files\LexisNexis\CheckCite\llieobj.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O15 - Trusted Zone: http://installs.odnss.com
O15 - Trusted Zone: http://www.visatrax.com
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {2CFAA5B7-41EF-11D4-8B61-0040053D2608} (ogsDynaTree.ogsDynaTreeCtrl) - https://www.visatrax...ogsDynaTree.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = odnss.com
O17 - HKLM\Software\..\Telephony: DomainName = odnss.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = odnss.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = odnss.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = odnss.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = odnss.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = odnss.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: McAfee Alert Manager (AlertManager) - McAfee Division of Network Associates, Inc. - C:\Program Files\Network Associates\Alert Manager\amgrsrvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\WinVNC.exe" -service (file missing)



findthis.bat Scan:

Volume in drive C is SYS
Volume Serial Number is 1C60-D65A

Directory of C:\Program Files\Adobe\Acrobat 5.0\Distillr\Data\psdisk\Resource\CMap

04/16/2001 04:39 PM 3,960 H
1 File(s) 3,960 bytes

Directory of C:\Program Files\Adobe\Acrobat 5.0\Resource\Cmap

09/10/2001 02:30 AM 3,778 H
1 File(s) 3,778 bytes

Directory of C:\WINDOWS\system32

12/09/2005 09:32 AM 351,771 sttss.bak1
12/17/2005 09:58 PM 322,370 sttss.bak2
12/18/2005 01:07 PM 322,974 sttss.ini
3 File(s) 997,115 bytes

Total Files Listed:
5 File(s) 1,004,853 bytes
0 Dir(s) 14,753,976,320 bytes free
  • 0

#6
rstones12
Posted 19 December 2005 - 07:19 PM

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
elizs77,

OK, a few things we need to clean up.

Please read "ALL" of the instructions before proceeding:
  • Now lets run KillBox.
  • Please double-click KillBox.exe to run it.
  • Select:
    • Delete on Reboot
    • Then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\sttss.bak1
    C:\WINDOWS\system32\sttss.bak2
    C:\WINDOWS\system32\sttss.ini


  • Return to KillBox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run KillBox, click here to download and run missingfilesetup.exe. Then try KillBox again.


Once you have rebooted back into Normal Mode, here is a link for updating your Java.

http://www.java.com/en/download/index.jsp

You log looks good, how are things running?

Thanks,
rstones12
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP